The Inquirer-Home

Twitter Tweetdeck hack was a storm in a twee cup

Nothing much to see there
Thu Jun 12 2014, 10:36
New Twitter logo

A HACKING ATTACK on Tweetdeck that saw users warned off the app was actually a rather old cross-site scripting (XSS) vulnerability that just happened to be exploited.

While some of the industry is standing on a stool drawing its skirts up around its knees, the attack, vulnerability or all-out assault on the internet app was a bit of damp squib.

What happened is that a young chap stumbled across the vulnerability and tweeted it publicly at the outfit. Other people saw that tweet, and the opportunity that it offered and began exploiting it. This led to a number of confused messages, some of which looked to Rick Roll users - an infamous act of web trolling.

The young Austrian's experiments at putting a heart into his messages led to copycats immediately, and forced Tweetdeck into performing maintenance on its systems. @firoxl, for it was he, is apparently fed up with the attention and the reaction that his experiment has caused.

"I'm getting tired of this. I did not hack anyone... I just found the bug," he wrote. "I wish this whole thing never happened."

Michael Sutton, VP of security research at Zscaler, described the incident as a Twitter worm, adding that it had been some time since one was last seen. He added that @firoxl had not maliciously exposed users, but had stumbled on a hoary old issue.

"XSS remains the most common vulnerability seen in web apps. It remains a common flaw even on popular internet properties as it can be challenging to properly validate all user supplied input, especially when trying to be flexible and allow users to post rich media content," he said.

"Twitter user @firoxl accidentally uncovered the flaw when looking for a way to post an emoticon and other quickly piled on, using the flaw to force automated retweets."

Tweetdeck reported that the issue has been fixed, but uttered the advice of our times as a backup.

"A security issue that affected Tweetdeck this morning has been fixed," it said. "Please log out of Tweetdeck and log back in to fully apply the fix." µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Coding challenges

Who’s responsible for software errors?